Snort mailing list archives
Re: Snort Command/Control architecture when running as a deamon
From: Robert Ellis via Snort-devel <snort-devel () lists snort org>
Date: Thu, 7 Jan 2021 00:33:03 +0000
Quite possibly. I have discovered that the command control idea seems to be specific to previous versions of Snort. Also - taking Carl Waxmans fbstreamer.cc as inspiration I think I can design some code that would retrieve the latest time stamp written by Snort’s performance monitor, which conceptually may be a perfect fit for my needs. However it isn’t clear to me that the performance monitoring code is intended to run 24/7 in live environments, so I still have some research to do If I ever realise some working code I’ll happily share it. That said I’m c#/.net core by trade, rather than c++, so no one need hold their breath. Thanks for checking in on this. Depending upon how reliable Snort++ actually is, your own idea may be as good as any, although ultimately I’d like to find a solution that can interoperate with eg. Aws load balancer type health checks. Thanks again. R On Mon, 4 Jan 2021 at 14:36, Noah Dietrich <noah_dietrich () 86penny org> wrote:
would it be easier to configure the systemd service to restart snort if the service failed? adding something like: [Service] Restart=on-failure RestartSec=5s to the Snort3 unit file? On Mon, Jan 4, 2021 at 2:30 PM Robert Ellis via Snort-devel < snort-devel () lists snort org> wrote:Hello & Happy New Year. Presuming a deployment of Snort 3 on Ubuntu with Snort configured to run as a deamon and configured 'in-line' (i.e. to operate as a IPS and drop bad connections/packet streams) Let us say I wanted to develop a new "Snort Health Check" deamon to continuously monitor the health of the Snort deamon In the Snort manual I have found this: 1.10 Control SocketSnort can be configured to provide a Unix socket that can be used to issue commands to the running process. You must build snort with the -enable-control-socket option. The control socket functionality is supported on Linux only. Snort can be configured to use control socket using the command line argument -cs-dir <path> and snort config option cs_dir as follows: snort --cs-dir <path> config cs_dir:<path> <path> specifies the directory for snort to create the socket. If relative path is used, the path is relative to pid path specified. If there is no pid path specified, it is relative to current working directory. A command snort_control is made and installed along with snort in the same bin directory when configured with the -enable-control-socket option.This control socket looks like it *may *be the ideal way to query the Snort daemon to determine: 1) that the Snort deamon is 'alive' in the most basic sense (i.e. it has been launched) 2) that the Snort deamon is operational in a more specific and meaningful sense (e.g. the Snort deamon process is responsive to a command and the response is sane/consistent) Question 1: is that right? Or is there a better/more-appropriate alternative for programatically querying the health of a running Snort deamon? Question 2: if the above does indeed seem a reasonable approach, then is there a particular command that would be a logical choice to issue for the purpose of a routine health check? In the Manual at Section 1.7.1 there is an illustration of Output metrics but I understand these are outputted only when Snort terminates: =============================================================================== Run time for packet processing was 175.856509 seconds Snort processed 3716022 packets. Snort ran for 0 days 0 hours 2 minutes 55 seconds Pkts/min: 1858011 Pkts/sec: 21234 =============================================================================== If there were a command that facilitated the output of one or more of these metrics in real-time, it might be ideal for health-checking purposes, but I have been unable to find anything documented that looks like the right fit. Any ideas or pointers would be gratefully received. (I intend to take a closer look at the Snort++ source code shortly, too; any pointers to the relevant sections would also be appreciated). Many thanks Robert _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Command/Control architecture when running as a deamon Robert Ellis via Snort-devel (Jan 04)
- Re: Snort Command/Control architecture when running as a deamon Noah Dietrich (Jan 04)
- Re: Snort Command/Control architecture when running as a deamon Robert Ellis via Snort-devel (Jan 06)
- Re: Snort Command/Control architecture when running as a deamon Nihal Desai (nihdesai) via Snort-devel (Jan 08)
- Re: Snort Command/Control architecture when running as a deamon Noah Dietrich (Jan 08)
- Re: Snort Command/Control architecture when running as a deamon Robert Ellis via Snort-devel (Jan 06)
- Re: Snort Command/Control architecture when running as a deamon Noah Dietrich (Jan 04)